search

hagezi / dns-blocklists

DNS-Blocklists: For a better internet - keep the internet clean!
GNU General Public License v3.0
7.09k stars 236 forks source link

datadog.pool.ntp.org #4400

Closed celenityy closed 4 days ago

celenityy commented 5 days ago

Which domain(s) should be blocked?

0.datadog.pool.ntp.org
1.datadog.pool.ntp.org
2.datadog.pool.ntp.org
3.datadog.pool.ntp.org
datadog.pool.ntp.org

Why should these domain(s) be blocked?

NTP servers like this are usually harmless, as they serve legitimate purposes & provide important functionality.

However, these servers are ran by the analytics company Datadog, and appear to be used for the sole, explicit purpose of tracking.

From their docs:

The Network Time Protocol (NTP) integration is enabled by default and reports the time offset from an ntp server every 15 minutes. When the local Agent’s time is more than 15 seconds off from the Datadog service and other hosts you are monitoring, you may experience:

Incorrect alert triggers Metric delays Gaps in graphs of metrics

Data Collected: Metrics ntp.offset (gauge) The time difference between the NTP reference clock and the local clock. Shown as second

Service Checks ntp.in_sync Returns CRITICAL if the host clock is more than the configured threshold away from the NTP time. Returns UNKNOWN if the Agent can not connect to the NTP server. Returns OK otherwise.

This is the first time I've seen an NTP server abused for tracking like this... I wonder if it'll become more common? This type of data is highly fingerprintable.

I initially discovered this via observing various adware mobile games phoning home to the servers. Haven't noticed any issues or heard any complaints with them blocked.

Privacy

hagezi commented 5 days ago

The NTP servers are only used internally in their agent, a normal user of apps and sites that use their services for analytics and the like will never see these calls in the logs.

celenityy commented 5 days ago

The NTP servers are only used internally in their agent, a normal user of apps and sites that use their services for analytics and the like will never see these calls in the logs.

I see these frequently in logs, which is what drew my attention in the first place.

Actually, as recent as a few seconds ago apparently:

image

They appear to be using this for some kind of tracking/fingerprinting, and in my experience, it seems to be coming from mobile games that implement their tracking.

Based on a ControlD forum post, it looks like others have also encountered these in the wild:

2022-08-21 18:29:36 | PASS | 0.datadog.pool.ntp.org | 46.17.88.210, 81.21.76.27, 95.215.175.2, 80.87.128.222

2022-08-22 08:37:25 | PASS | 0.datadog.pool.ntp.org | 85.199.214.98, 139.162.219.252, 178.62.16.103, 178.62.68.79

hagezi commented 5 days ago

That's wild ...

github-actions[bot] commented 5 days ago

Thank you for your support. The issue is scheduled to be fixed in the next release. You will be notified when the issue is finally fixed.

github-actions[bot] commented 4 days ago

This issue has been fixed in release 2024.326.59335